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December  18,2001 

Mr.  Martin  Benison 

Comptroller 

The  Commonwealth  of  Massachusetts 

In  planning  and  performing  the  single  audit  of  the  Commonwealth  of  Massachusetts  (the  "Commonwealth") 
for  the  year  ended  June  30,  2001,  on  which  we  have  issued  our  report  dated  December  18,  2001,  we 
considered  its  internal  control  in  order  to  determine  our  auditing  procedures  for  the  purpose  of  expressing  an 
opinion  on  the  financial  statements  and  not  to  provide  assurance  on  the  Commonwealth's  internal  control. 
We  noted  certain  matters  involving  the  Commonwealth's  internal  control  structure  and  compliance  of 
management  of  the  Commonwealth  with  laws  and  regulations  that  we  consider  to  be  reportable  conditions 
under  standards  established  by  the  American  Institute  of  Certified  Public  Accountants.  Those  matters  are 
identified  in  the  "Report  on  Compliance  with  Requirements  Applicable  to  Each  Major  Program  and  Internal 
Control  Over  Compliance  in  Accordance  with  OMB  Circular  A- 133,"  dated  December  18,  2001.  Reportable 
conditions  involve  matters  coming  to  our  attention  relating  to  significant  deficiencies  in  the  design  or 
operation  of  the  Commonwealth's  internal  control  that,  in  our  judgment,  could  adversely  affect  the 
Commonwealth's  ability  to  record,  process,  summarize,  and  report  financial  data  consistent  with  the 
assertions  of  management  in  the  financial  statements. 

Our  consideration  of  the  Commonwealth's  internal  control  would  not  necessarily  disclose  all  matters  in  the 
Commonwealth's  internal  control  that  might  be  reportable  conditions  and,  accordingly,  would  not  necessarily 
disclose  all  reportable  conditions  that  are  considered  material  weaknesses.  A  material  weakness  is  a 
reportable  condition  in  which  the  design  or  operation  of  one  or  more  of  the  internal  control  components  does 
not  reduce  to  a  relatively  low  level  the  risk  that  misstatements  caused  by  error  or  fraud  in  amounts  that  would 
be  material  in  relation  to  a  major  federal  program  being  audited  may  occur  and  not  be  detected  within  a  timely 
period  by  employees  in  the  normal  course  of  performing  their  assigned  functions.  Of  the  reportable 
conditions  noted  above,  the  matter  regarding  Roxbury  Community  College,  reported  to  management  of  the 
Commonwealth  in  the  "Report  on  Compliance  with  Requirements  Applicable  to  Each  Major  Program  and 
Internal  Control  Over  Compliance  in  Accordance  with  OMB  Circular  A- 13 3,"  dated  December  18,  2001,  is, 
in  our  judgment,  a  material  weakness. 

We  also  submit  our  comments  concerning  certain  observations  and  recommendations  relating  to  other 
accounting,  administrative,  and  operating  matters.  These  recommendations  resulted  from  our  observations 
made  in  connection  with  our  audit  of  the  Commonwealth  for  the  year  ended  June  30,  2001.  Our  comments, 
arranged  by  department,  are  presented  on  the  following  pages. 

This  report  is  intended  solely  for  the  information  and  use  of  management  and  federal  awarding  agencies  and 
is  not  intended  to  be  and  should  not  be  used  by  anyone  other  than  these  specified  parties. 


Yours  truly, 


Deloitte 

Touche 

Tohmatsu 


STATEWIDE  OBSERVATIONS 

Business  Continuity  Management 

September  11,  2001  confirmed,  for  many  entities,  the  virtues  of  effective  business  continuity  management 
However,  the  lessons  learned  from  these  events  highlight  the  need  to  challenge  some  previously  accepted 
assumptions,  strategies,  and  processes  and  refocus  efforts  in  areas  beyond  the  traditional  information 
technology  recovery  plans  to  areas  such  as  the  safety  and  welfare  of  people,  as  well  as  facilities  and 
communications  strategies. 

The  Commonwealth's  business  continuity  program  is  focused  primarily  on  information  technology  ("IT")  and 
does  not  extend  to  other  critical  business  functions,  nor  does  it  encompass  other  elements  of  effective 
business  continuity  management  such  as  employee  safety. 

Furthermore,  the  Commonwealth's  IT  disaster  recovery  plan  does  not  cover  all  of  the  information  systems  at 
every  agency.  In  2000,  a  disaster  recovery  plan  focused  on  the  data  center  and  the  systems  housed  in  the  data 
center  was  developed  by  the  Information  Technology  Department  ("ITD")  for  the  MITC  data  center  in 
Chelsea.  However,  several  agencies  do  not  host  their  systems  in  this  data  center  and  the  ITD  is  not 
responsible  for  monitoring  or  administering  such  systems.  These  agencies  are  responsible  for  developing, 
maintaining  and  managing  their  own  disaster  recovery  plans. 

The  Commonwealth  should  consider  a  centralized  business  continuity  management  program.  Such  a 
program  would  encompass  the  Commonwealth's  existing  IT-focused  recovery  activities  as  well  as  other  key 
continuity  components  such  as: 

•  Physical  Security  -  The  extraordinary  scale  of  the  recent  violence  made  it  clear  that  physical  security 
must  receive  the  utmost  attention  in  continuity  planning. 

•  Communications  Strategies  and  Returning  to  Productivity  -  After  physical  security,  verifying  employee 
status  and  returning  employees  to  work  are  key  priorities  for  resuming  business  functions. 
Comprehensive  communications  plans  must  be  put  in  place  to  reassure,  to  give  instructions,  and  to  share 
information. 

•  Facilities  Strategies  -  The  geographic  alignment  of  resources  and  operations  must  be  part  of  any  effective 
management  strategy.  Recent  trends  towards  operational  concentration  must  be  revisited. 

•  Extended  Enterprise  -  Communications  and  business  processes  with  suppliers  and  service  providers  must 
remain  viable  in  the  event  of  a  crisis  such  that  transactions  and  services  can  continue. 

•  Continuous  Availability  -  Continuous  systems  availability  should  be  the  key  goal  of  effective, 
comprehensive  business  continuity  management.  It  can  ensure  returning  to  normal  operations  in  minutes, 
rather  than  hours  or  days.  Investment  in  data  center  and  server  consolidation,  deployment  of  fault 
tolerance  systems,  and  data  storage  strategies  is  key  to  achieving  continuous  availability. 

•  Ongoing  Testing  and  Maintenance  -  An  essential  element  of  a  robust  business  continuity  management 
program  is  regular  testing  and  maintenance.  Organizations  that  make  investments  in  testing  experience 
strong  returns  on  their  efforts. 

Organizations  should  thoroughly  reassess  the  recovery  plans  and  the  associated  business  risks  and  mitigation 
strategies  given  the  events  of  September  1 1th. 
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New  Reporting  Model 

The  Governmental  Accounting  Standards  Board  (''GASB")  has  issued  GASB  Statement  No.  34,  ''Basic 
Financial  Statements  -  and  Management's  Discussion  and  Analysis  -  for  State  and  Local  Governments" 
("GASB  34").  Implementation  of  these  standards  is  required  during  the  coming  fiscal  year. 

This  statement  establishes  new  financial  reporting  standards  for  state  and  local  governments  and  component 
units.  They  are  designed  to  make  governmental  financial  reports  easier  to  understand  and  more  useful  to  the 
citizenry,  legislature,  oversight  bodies,  investors  and  creditors.  These  statements  include  requirements  for 
management's  discussion  and  analysis  and  dramatically  change  the  basic  format  of  the  financial  statements  by 
requiring  governments  to  provide  basic  financial  statements  on  both  government-wide  and  fund  perspectives. 

The  government-wide  financial  statements  will  provide  information  about  the  primary  government  and  its 
component  units  without  displaying  funds  or  fund  types.  The  financial  statements  will  distinguish  between 
the  governmental  and  business-type  activities  of  the  primary'  government  and  between  the  total  primary 
government  and  its  discretely  presented  component  units  (the  government-wide  perspective  will  not  include 
fiduciary  activities).  In  addition,  capital  assets  (including,  for  the  first  time,  all  infrastructure  assets  -  i.e., 
roads,  bridges  and  dams)  and  general  long-term  liabilities,  which  are  currently  reported  in  account  groups, 
will  be  reported  as  assets  and  liabilities  of  governmental  activities.  All  information  in  the  government-wide 
financial  statement  is  to  be  reported  using  the  economic  resources  measurement  focus  and  the  accrual  basis  of 
accounting,  similar  to  the  way  that  enterprise  funds  are  currently  reported  in  the  general  purpose  financial 
statements. 

Fund  perspective  financial  statements  will  provide  information  about  the  primary'  government's  fund  types, 
including  fiduciary  funds  and  blended  component  units.  Governments  will  present  separate  financial 
statements  for  each  fund  category  (governmental,  proprietary,  higher  education,  and  fiduciary)  and  will  no 
longer  present  a  combined  balance  sheet.  As  is  currently  required,  governmental  fund  financial  statements 
will  continue  to  focus  on  fiscal  accountability  and  report  the  flows  and  balances  of  current  financial  resources 
using  the  modified  accrual  basis  of  accounting.  Proprietary  and  fiduciary  fund  financial  statements  will 
continue  to  report  operating  results  and  financial  position  using  the  economic  resources  measurement  focus 
and  the  accrual  basis  of  accounting.  The  fund  perspective  will  also  include  component  units  that  are  fiduciary 
in  nature. 

One  of  the  most  significant  changes  in  this  new  statement  is  a  requirement  for  governmental  entities  to  record 
the  cost  of  infrastructure.  Since  this  information  has  not  been  reported  in  the  Commonwealth's  financial 
statements,  one  of  the  most  significant  hurdles  to  the  implementation  of  this  standard  is  the  accumulation  of 
the  historical  cost  of  infrastructure.  A  complete  and  accurate  accounting  of  these  assets  will  be  of  great 
importance  to  the  Commonwealth  because  of  the  inherent  inequities  in  certain  of  the  Commonwealth's  long- 
term  debt  obligations  with  which  the  Commonwealth  is  bonding  to  pay  for  assets  that  it  does  not  own.  When 
GASB  34  is  implemented,  these  inequities  will  inevitably  result  in  the  Commonwealth  reporting  liabilities  in 
excess  of  assets.  Ensuring  that  all  infrastructure  assets  are  properly  recorded  will  help  to  minimize  the  impact 
of  these  inherent  inequities. 

Over  the  past  18  months,  management  has  undertaken  a  series  of  projects  geared  towards  preparing  for  the 
implementation  date  of  this  standard.  These  projects  include: 

•  A  task  force  assigned  to  infrastructure  assets 

•  Developing  implementation  manuals  for  the  higher  education  institutions  and  component  units 

•  Assessment  of  the  proposed  changes  in  financial  reporting  that  will  result  from  the  implementation  of  this 
standard. 


As  the  Commonwealth  moves  into  the  year  of  implementation,  management  should  create  an  implementation 
task  force  to  control  and  monitor  the  process.  That  taskforce  should  be  responsible  for  developing  a  formal 
plan  for  implementation.    The  items  that  will  need  to  be  considered  include: 

•  A  program  to  support  the  higher  education  institutions  and  the  component  units  to  ensure  that  these 
entities  are  able  to  implement  these  standards  consistent  with  the  Commonwealth's  timelines; 

•  A  plan  for  monthly  contact  with  these  entities  to  assess  their  progress  towards  implementation  and  a 
program  to  support  these  entities  if  they  fall  behind  schedule; 

•  The  development  of  a  formal  timeline  for  the  conversion  of  the  Commonwealth's  financial  statements; 

•  The  establishment  of  deadlines  for  the  completion  of  the  infrastructure  assets  project; 

•  A  project  to  draft  a  management  discussion  and  analysis  that  complies  with  the  provisions  of  the 
statements; 

•  A  plan  to  re-assess  the  treatment  of  affiliated  organizations  and  other  Commonwealth  "governmental" 
entities  to  ensure  that  such  treatment  remains  appropriate;  and 

•  Educational  programs  to  ensure  that  current  guidance  being  provided  by  the  GASB  and  the  American 
Institute  of  Certified  Public  Accountants  is  properly  disseminated. 

Education  Program 

The  changes  to  the  governmental  reporting  model  will  focus  attention  on  the  overall  financial  condition  of  the 
government.  The  display  of  the  overall  operations  of  the  government  into  a  limited  number  of  columns  with 
debt  and  long-term  assets  combined  with  the  other  assets  and  liabilities  will  begin  to  place  an  emphasis  on  the 
question  of  whether  the  government's  financial  condition,  as  a  whole,  is  better  or  worse  than  in  the  previous 
year.  While  the  concept  is  commercial  in  nature,  the  emphasis  will  be  on  the  change  in  net  assets. 

This  emphasis  on  financial  condition  is  similar  to  the  emphasis  on  the  issue  of  intergenerational  equity.  This 
focus  should  be  on  the  development  of  plans  to  pay  for  long-term  obligations,  both  debt-related  and  nondcbt- 
related,  while  also  recognizing  that  financial  plans  need  to  exist  for  the  repair  or  replacement  of  fixed  assets 
and  infrastructure.  The  focus  is  not  so  much  on  the  growth  of  net  assets  as  it  is  on  the  maintaining  of  a  net 
asset  balance  that  demonstrates  a  sound  and  stable  financial  condition  with  sufficient  resources  to  offset 
economic  downturns. 

To  date,  management's  efforts  have  focused  on  educating  the  preparers  of  the  financial  statements  with  regard 
to  the  implications  of  adopting  these  standards.  Given  the  focus  on  the  overall  financial  condition  of  the 
Commonwealth  and  the  issues  of  intergovernmental  equity  that  are  inherent  to  the  new  financial  reporting 
model,  management  should  also  consider  developing  a  training  program  that  is  focused  on  educating  the 
administration,  the  Massachusetts  Legislature  (the  "Legislature"),  and  other  potential  users  of  the  financial 
statements  to  the  changes.  Models  should  be  developed  that  stress  the  need  for  plans  to  support  the  future 
financing  of  obligations  and  assets.  Management  should  ensure  that  legislators  understand  the  impact  that 
GASB  34  will  have  on  the  financial  statements  and  the  implications  of  legislative  action  on  financial 
reporting.  This  will  ensure  that  decisions  made  at  the  legislative  level  will  be  consistent  with  those  deemed 
prudent  by  management. 


Individual  Funds 

As  discussed  in  previous  years'  management  letters,  the  number  of  funds  required  by  the  Legislature  and  used 
by  the  Commonwealth  hampers  the  efficiency  of  the  accounting  and  financial  reporting  process.  In  fiscal 
year  2001,  the  Office  of  the  Comptroller  ("OSC"),  operating  under  the  requirements  of  State  Finance  Law  and 
the  requirements  of  the  Legislature  as  established  through  the  budget  and  Massachusetts  General  Laws,  used 
approximately  1 1 1  individual  funds  to  account  for  the  operations  of  the  Commonwealth. 

The  use  of  1 1 1  individual  funds  makes  it  difficult  for  either  internal  or  external  users  of  the  Commonwealth's 
financial  information  to  obtain  a  clear,  concise  understanding  of  the  overall  operations  and  financial  position 
of  the  Commonwealth.  Instead  of  enhancing  accountability,  the  large  number  of  funds  makes  it  difficult  for 
management  to  perform  both  the  analysis  of  operations  and  the  detection  of  errors. 

While  many  of  the  individual  funds  designated  by  the  Legislature  have  been  created  to  monitor  and  control 
resources  for  a  specific  purpose,  this  function  can  effectively  be  met  by  using  "sub-funds"  within  the  General 
Fund. 

The  existing  fund  structure  and  number  of  funds  have  resulted  in  the  following  issues: 

1.  Split  appropriations  require  extensive  effort  on  the  part  of  management  to  properly  account  for  the  fiscal 
year  activity  and  report  final  operating  results.  Split  appropriations  are  a  budgetary  practice  that  is  unique 
to  Massachusetts. 

2.  The  Legislature  regularly  budgets  expenditures  in  funds  without  providing  corresponding  revenue  to 
support  the  activity.  This  effectively  overstates  the  General  Fund  balance,  creates  deficits  in  other  funds, 
and  raises  the  question  of  whether,  in  fact,  a  balanced  budget  at  all  levels  has  been  passed  as  required  by 
Massachusetts  General  Laws. 

3.  When  the  Commonwealth  is  required  to  implement  GASB  34,  each  of  the  individual  1 1 1  funds  will  have 
to  be  analyzed  to  determine  if  it  should  be  reported  as  a  major  fund.  In  addition,  the  activities  of  the 
funds  will  need  to  be  reviewed  to  determine  the  "individual"  adjustments  necessary  to  bring  the  accounts 
to  full  accrual. 

4.  Accounting  principles  generally  accepted  in  the  United  States  of  America  require  all  fund  balance  deficits 
to  be  reported  in  the  financial  statements  along  with  a  plan  for  correcting  those  deficits.  Currently,  27 
funds  have  fund  balance  deficits. 

5.  GASB  Statement  No.  38,  "Certain  Financial  Statement  Note  Disclosures,"  will  require  the 
Commonwealth  to  provide  the  detail  of  all  transfers  between  the  funds,  and  such  transfers  will  need  to  be 
discussed  in  the  Commonwealth's  footnotes. 


The  following  table  lists  the  budgeted  funds  with  statutory'  fund  balance  deficits  (amounts  in  thousands)  at 
June  30,  2001: 

Budgeted 

Fund  No.                                                      Fund  Name  Deficit 

101       Highway  Fund  $  278,514 

108      Natural  Heritage  Fund  9 

113       Mosquito  and  Greenhead  Fry  Control  Fund  2,305 

134      Environmental  Challenge  Fund  2,794 

149      Toxic  Use  Reduction  Fund  7,686 

152      Environmental  Permitting  and  Compliance  Assurance  Fund  43,155 

154      Underground  Storage  Fund  13,920 

156  Environmental  Law  Enforcement  Fund  3,875 

157  Public  Access  Fund  296 

158  Harbors  and  Inland  Waters  Maintenance  Fund  7,599 

159  Marine  Fisheries  Fund  5,330 

160  Watershed  Management  Fund  4,331 

161  Low-Level  Radioactive  Waste  Management  Fund  505 
173  Clean  Air  Act  Compliance  Fund  1,048 
019  Child  Support  Penalty  Fee  Fund  87 
186  Second  Century  Fund  3,594 
106      Antitrust  Law  Enforcement  Fund  2,765 

110  Victim  and  Witness  Assistance  Fund  10,335 

1 1 1  Intercity  Bus  Capital  Assistance  Fund  6,070 
165  Pondapoag  Recreational  Fund  5 
172  Leo  J.  Martin  Recreation  Fund  179 
188  Children  and  Senior  Health  Fund  13,197 
192  Trans.  Aid  to  Needy  Families  Fund  11,197 
194      Local  Consumer  Inspection  Fund                                                      574 

Total  $  419,370 

While  some  funds  with  minimal  activity  were  repealed  during  the  fiscal  year  and  more  are  legislated  for 
repeal  during  fiscal  year  2002,  a  large  number  of  funds  remain  and  should  be  evaluated  as  to  their  continued 
need.    The  following  table  (amounts  in  thousands)  shows  fund  activity  as  of  June  30,  200 1  for  those  funds 

with  minimal  or  no  activity  during  the  year.  This  list  excludes  funds  that  were  created  or  repealed  during 
fiscal  2001  and  funds  whose  repeal  has  been  legislated  for  fiscal  2002. 
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Expenditures 
Revenues  and        and  Other 
Fund  Other  Financing       Financing 

Number  Fund  Name  Sources  Uses 

019  Child  Support  Penalty  Fee  Fund  $ 

020  Department  of  Telecommunication  and  Energy  Trust  Fund 
026  Firearms  Recordkeeping  Fund 
031  Oil  Overcharge  Fund 
033  Civil  Monetary  Penalty  Fund 

106  Antitrust  Law  Enforcement  Fund 

107  Government  Land  Bank  Fund 

108  Natural  Heritage  and  Endangered  Species  Fund 
1 1 1  Intercity  Bus  Capital  Assistance  Fund 
1 1 8  Federally  Assisted  Housing  Fund 
132  Motorcycle  Safety  Fund 
1 36  Environmental  Trust  Fund 
138  Children's  Trust  Fund 
140  Labor  Shortage  Fund 
144  Drug  Analysis  Fund 
153  Massachusetts  AIDS  Fund 
157  Public  Access  Fund 

161  Low-Level  Radioactive  Waste  Management  Fund 

165  Ponkapoag  Recreational  Fund 

168  Board  of  Registration  in  Medicine  Fund 

172  Leo  J.  Martin  Recreation  Fund 

179  Reggie  Lewis  Track  and  Athletic  Center  Fund 

180  Assisted  Living  Administration  Fund 
1 85  Solid  Waste  Disposal  Fund 
1 87  Safe  Drinking  Water  Fund 

189  Diversity  Awareness  Education  Trust  Fund 

190  Child  Care  Quality  Fund 
194  Local  Consumer  Inspection  Fund 
198  Voting  Equipment  Loan  Fund 
330  Revolving  Loan  Fund  _ 


661 

2,337 

534 

$  1,817 
2,766 

1,416 

245 

1,374 

274 

520 

1,492 
313 

1,492 
324 

582 

182 

135 

135 

251 

188 

2,362 
13 

1,911 
62 

241 

- 

92 

101 

184 

407 

879 

892 

252 

256 

898 

803 

1,916 
683 

1,916 
667 

381 

271 

411 

353 

1 

- 

2,138 
3 

2,217 

271 

126 

475  1,803 


Total  $19,440  $20,583 

Such  funds  represent  less  than  1%  of  the  activity  of  the  governmental  funds  of  the  Commonwealth. 

To  improve  accountability,  the  OSC,  working  with  the  Secretary  of  Administration  and  Finance  and  the 
Legislature,  should  seek  legislation  to: 

•  Combine  or  eliminate  many  of  the  existing  funds  noted  above.  Any  remaining  funds  should  be 
specifically  identified  in  the  legislation,  and  any  "new  activities"  subsequent  to  the  legislation  should  be 
limited  to  the  establishment  of  subfunds  unless,  after  consultation  with  OSC,  a  conclusion  is  reached  that 
individual  fund  reporting  is  appropriate. 


•  If  combining  or  eliminating  funds  is  not  accomplished,  legislation  should  be  proposed  to  require  funds, 
other  than  Capital  Project  Funds,  that  have  had  a  deficit  in  fund  balance  for  three  consecutive  years  to  be 
reduced  to  a  zero  balance  as  part  of  the  subsequent  year's  budget. 

•  "Sunset"  provisions  should  be  enacted  to  require  that  each  fund  and  subfund,  other  than  the  General  Fund, 
be  reviewed  every  five  years  to  determine  whether  it  should  be  continued.  In  the  absence  of  a  positive 
action  by  the  Legislature  to  continue  the  fund,  the  Legislature  should  require  that  its  balance  be 
transferred  to  the  General  Fund  and  the  fund  or  subfund  abolished. 

Prior  Appropriations  Continued  in  the  Legislature 

Massachusetts  makes  extensive  use  of  the  carryforward  of  unexpended  appropriations  (prior  appropriation 
continued  or  "PAC"),  therefore  reducing  the  effectiveness  of  the  current  budget  process.  Appropriations 
continued  from  fiscal  year  2001  to  2002  totaled  approximately  $290  million,  a  $38  million  increase  from  the 
prior  fiscal  year.  The  unexpended  balance  in  the  General  Fund  for  all  appropriations  at  June  30,  2001  is 
approximately  $183  million,  a  $4  million  increase  from  the  prior  year. 

Of  this  amount,  nothing  was  reverted  at  the  end  of  the  fiscal  year.  A  review  of  the  activities  within  the 
General  Fund  indicates  that  additional  funds  were  appropriated  to  many  accounts  in  fiscal  year  2001,  although 
balances  carried  forward  from  fiscal  year  2000  were  sufficient  to  cover  all  2001  expenditures.  This  results  in 
an  increase  in  the  unspent  balances  compared  to  those  at  June  30,  2000.  This  trend  has  continued  since  1993. 

An  example  of  a  balance  carryforward  is  the  Legislature's  Telecommunication  Appropriation,  No.  97441000. 
A  balance  of  $6.5  million  was  carried  forward  from  fiscal  year  1995.  Only  $1.7  million  of  the  appropriation 
was  spent  during  fiscal  year  1996,  and  the  remaining  $4.8  million  was  carried  to  fiscal  year  1997.  Of  this 
amount,  only  $1.7  million  was  expended  during  the  year  and  $3.1  million  was  authorized  to  be  carried 
forward  to  fiscal  year  1998,  of  which  only  $1.5  million  was  expended  and  the  remaining  $1.6  million  was 
authorized  to  be  carried  forward  to  fiscal  year  1999.  In  fiscal  years  1999  and  2000,  an  additional  $3.4  million 
was  appropriated  and  $3.2  million  expended  and  the  remaining  $1.8  million  was  authorized  to  be  carried 
forward  to  fiscal  year  2001. 

Under  Massachusetts  General  Laws,  the  Commonwealth  has  the  option  of  either  reverting  unexpended  funds 
or  carrying  the  balances  forward  to  the  next  fiscal  year.  The  current  trend  indicates  that  more  funds  are  being 
carried  forward  from  year-to-year  than  is  necessary,  thereby  diminishing  the  value  of  the  budgetary  controls 
that  should  be  an  element  of  the  annual  appropriation  process. 

The  Legislature  should  carefully  review  and  evaluate  its  use  of  PACs  and  its  procedures  for  appropriating  and 
carrying  forward  funds  so  that  the  available  funds  are  more  fully  utilized  to  operate  the  various  programs 
sponsored  by  the  Commonwealth. 

Workers'  Compensation  and  Group  Health  Insurance 

The  Commonwealth  should  establish  a  funding  schedule  to  accumulate  assets  to  satisfy  the  current  under- 
funded, liability  related  to  the  internal  service  funds.  As  of  June  30,  2001,  the  unfunded  liability  for  the 
workers'  compensation  and  group  health  insurance  funds  was  $262. 3M  and  $31.9M,  respectively.  These 
balances  represent  accumulated  liabilities  and  will  have  a  material  impact  on  the  governmental  fund 
statements  when  the  Commonwealth  adopts  GASB  34.  At  that  time,  these  liabilities  will  be  shown  as 
liabilities  that  directly  reduce  the  "net  assets"  of  the  Commonwealth.  These  and  other  obligations  could  result 
in  a  negative  net  asset  position. 
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Available  options  to  furnish  the  necessary  funding  include  a  surcharge  to  the  current  statutory'  chargeback  to 
state  agencies,  an  annual  appropriation  based  upon  an  actuarially  calculated  funding  schedule,  a  redirection  of 
investment  earnings,  and  other  actions.  The  OSC  and  the  Legislature  should  coordinate  their  efforts  to 
evaluate  all  options  and  select  the  most  appropriate  steps  to  satisfy  the  existing  liabilities  and  fund  future 
liabilities  as  incurred. 

Activity-Based  Costing 

Management,  citizens,  and  their  representatives  in  the  Legislature  have  a  heightened  interest  in  what 
programs  cost,  the  cost  of  delivery  under  various  alternative  models,  and  the  cost  of  the  individual  items  or 
elements  required  to  deliver  a  service.  Activity-based  costing  is  an  approach  used  by  many  governmental 
entities  to  determine  the  true  cost  to  deliver  a  service. 

The  Commonwealth  benefits  from  having  agencies  like  the  OSC  employing  activity-based  costing  models  as 
part  of  the  overall  management  reporting  system.  These  models  allow  the  Commonwealth  to  more  accurately 
determine  the  benefits  of  electronic  benefit  transfers,  payroll  direct  deposits,  or  the  privatization  of  an  activity. 
We  recommend  that  the  Commonwealth  begin  additional  pilot  projects  to  determine  the  cost  of  activities  and 
services  that  are  currently  under  review  for  changes  in  their  processes.  These  pilots  should  then  be  used  to 
develop  a  process  for  calculating  the  cost  of  a  broad  range  of  Commonwealth  activities. 

Employee  Recognition  Programs 

As  the  Commonwealth  enters  the  uncertain  economic  period  of  2001/2002  with  the  reduced  tax  collections,  it 
is  important  to  look  at  programs  that  produce  cost  savings  while  at  the  same  time  rewarding  and  retaining  the 
resource  capital  needed  to  run  the  business  of  government. 

Rewarding  and  retaining  governmental  employees  has  always  been  a  challenge  for  governmental  entities.  It 
is  always  more  of  a  challenge  to  reward  employees  in  tight  economic  times.  In  looking  at  models  from  other 
states,  several  programs  are  worth  noting. 

One  idea  is  a  "Shared  Savings  Program"  modeled  after  similar  private  sector  models.  This  program 
encourages  employees  to  submit  ideas  for  managing,  building  or  buying  something  more  eff.jiently.  Any 
actual  savings  go  into  a  special  account,  and  after  a  year,  half  of  the  savings  recognized  in  the  department  go 
to  the  department  employees. 

A  second  idea  is  a  quality  service  award  which  allows  individual  employees  to  earn  financial  recognition  for 
accomplishments.  The  program  awards  up  to  $10,000  to  one  person  or  to  a  number  of  people. 

While  other  types  of  programs  exist,  the  goal  for  Massachusetts  should  be  to  reward  talented  employees  while 
reducing  overall  costs  and  improving  operational  efficiency. 


Investor  Relations  Programs  and  Related  Disclosures 

The  Commonwealth  should  review  its  investor  relations  program. 

The  United  States  Securities  and  Exchange  Commission  ("SEC")  has  continued  to  focus  on  municipal 
securities  and  investor  information.  The  reason  for  this  focus,  as  stated  by  Stephen  J.  Weinstcin  of  the  Office 
of  Municipal  Securities  of  the  SEC  in  his  speech  at  the  August  200 1  annual  conference  of  the  National 
Association  of  State  Auditors,  Comptrollers  and  Treasurers,  is  the  emerging  dominance  of  individual 
investors  in  the  municipal  market.  In  his  speech  Mr.  Weinstein  indicated  that  more  than  70  percent  of  the 
outstanding  obligations  are  held  by  or  for  individuals,  either  directly  or  through  bond  funds,  and  that  nearly 
40  percent  of  the  total  is  held  by  individuals  themselves  or  in  their  personal  trust  accounts. 

Because  many  investors  purchased  their  bond  holdings  in  the  secondary  market,  the  disclosures  to  that 
segment  of  the  marketplace  are  beginning  to  receive  a  growing  level  of  attention.  The  SEC  has  begun  to 
focus  on  information  on  governmental  websites  and  whether  the  information  has  the  potential  to  mislead 
investors.  Properly  used,  the  website  is  an  important  element  of  an  investor  relations  program  and  an  aid  in 
complying  with  the  SEC  rules  applicable  to  governmental  securities. 

In  1996,  the  Government  Finance  Officers  Association  ("GFOA")  issued  a  recommended  practice  on 
"Maintaining  an  Investor  Relations  Program."  The  centerpiece  of  the  GFOA's  recommended  investor 
relations  program  is  a  commitment  to  provide  annual  financial,  operating,  and  other  significant  information  in 
a  timely  manner  consistent  with  federal  and  state  laws  and  SEC  rules.  Issuers  were  encouraged  to  consider 
addressing  the  following  concerns: 

1.  Identify  individuals  responsible  for  speaking  on  behalf  of  the  issuer. 

2.  Develop  procedures  for  identifying  and  selecting  information,  both  positive  and  negative,  to  be  made 
available  to  investors. 

3.  Develop  procedures  for  disseminating  information  so  that  it  gets  to  all  parts  of  the  market  simultaneously 
and  not  only  selected  investors. 

4.  Develop  procedures  to  ensure  potential  investors  receive  copies  of  the  preliminary  officii',  statement  at 
least  one  week  in  advance  of  a  bond  sale. 

5.  Identify  ways  to  stay  abreast  of  issues  that  are  likely  to  be  of  concern  to  investors. 

6.  Develop  and  maintain  good  relationships  with  the  rating  agencies. 

7.  Establish  procedures  to  ensure  that  financial  statements  or  other  information  needed  for  disclosure 
purposes  are  completed  on  a  consistent  schedule  from  year  to  year  and  prior  to  the  dates  established  in 
any  contractual  commitments. 

8.  Delineate  clearly  the  roles  and  disclosure  responsibilities  in  conduit  borrowings. 

9.  Engage  in  marketing  activities  to  alert  investors  of  a  pending  bond  sale. 

10.  Identify  investors  who  hold  the  issuer's  bonds  to  improve  communications. 

1 1.  Be  aware  that  legal  issues  may  exist  with  respect  to  securities  information  provided  by  electronic  means. 
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An  article  in  the  June  2001  Government  Finance  Review  described  a  governmental  entity's  investor  relations 
program.  That  article  discussed  the  fact  that  most  investors  do  not  accept  the  minimal  disclosures  required  by 
SEC  Rule  15c2-12  as  sufficient.  That  entity  specifically  performed  the  following  steps  in  establishing  an 
investor  relations  program. 

1.  Conducted  research  into  the  legal  requirements. 

2.  Looked  at  the  information  needs  of  the  bond  rating  agencies,  bond  insurers  and  underwriters  regarding 
their  requirements  to  comply  with  SEC  and  Municipal  Securities  Rulemaking  Board  rules. 

3.  Developed  a  cover  sheet  for  all  filings  with  the  Nationally  Recognized  Municipal  Securities  Information 
Repositories  ("NRMSIRs")  that  contained  all  CUSIP  numbers.  Such  a  cover  sheet  is  to  accompany  all 
filings  and  is  necessary  for  the  NRMSIRs  to  be  able  to  tie  disclosure  documents  to  specific  bond  issues. 

4.  Added  an  "investor  relations  site"  to  the  government's  webpage. 

5.  Developed  a  quarterly  investor  newsletter  that  is  posted  on  the  website. 

This  government  believed  that  by  providing  information  directly  to  the  investor  community  it  could  improve 
investor  relations,  increase  investor  interest  in  the  debt  with  a  corresponding  lower  interest  rate  as  a  result  of 
demand,  and  obtain  more  favorable  bond  ratings. 

Compliance  with  Chapter  647,  the  Internal  Control  Act 

Massachusetts  General  Laws,  Chapter  647,  State  Agencies  Internal  Control  Act  of  1989  ("Chapter  647") 
outlines  internal  control  standards,  defines  the  minimum  level  of  internal  control  systems,  and  establishes  the 
criteria  against  which  internal  controls  will  be  evaluated.  Chapter  647  also  states  that  internal  control  systems 
for  the  various  state  departments  shall  be  developed  in  accordance  with  guidelines  established  by  the  OSC. 
The  OSC  has  issued  written  guidance  in  the  form  of  the  Internal  Control  Guide  for  Managers  and,  in  2001, 
the  Internal  Control  Guide  for  Departments.  Departments  implement  Chapter  647  and  these  guides  through  a 
document  known  as  the  "departments'  internal  control  plan." 

Since  the  passage  of  Chapter  647,  the  OSC,  in  addition  to  publishing  the  above-mentioned  guides,  has 
assisted  departments,  when  requested,  in  developing  internal  control  plans;  conducted  training  sessions  on 
internal  controls  and  risk  assessments;  and,  in  conjunction  with  the  Office  of  the  State  Auditor,  reviewed 
internal  control  plans  for  departments  upon  request  or  as  part  of  the  statewide  single  audit. 

To  support  departments  in  their  efforts  to  improve  internal  controls  and  internal  control  plans,  the  OSC  has 
expanded  its  ongoing  internal  control  campaign.  The  focus  for  200 1  was  to  ensure  that  all  departments  had 
prepared  department-wide  risk  assessments.  It  prepared  and  conducted  two  instructional  seminars  on 
Developing  a  Department-Wide  Risk  Assessment,  published  existing  departmental  models  for  developing 
internal  control  plans  and  risk  assessments  on  the  Internet,  and  held  a  Chief  Fiscal  Officers  Conference  at 
which  internal  controls  were  a  key  part  of  the  agenda. 

In  2001,  the  OSC  and  the  Office  of  the  State  Auditor  conducted  follow-up  site  visits  of  the  departments  in 
which  internal  control  plans  were  reviewed,  as  part  of  the  2000  single  audit  to  review  their  progress  on 
implementing  the  internal  control  plan  recommendations.  The  OSC  and  Office  of  the  State  Auditor  staffs 
found  that  all  departments  had  made  incremental  progress  towards  implementing  the  recommendations  and 
that  some  departments  regularly  incorporate  operational  changes  into  their  internal  control  plans. 
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Although  most  of  these  plans  generally  contain  adequate  descriptions  of  fiscal  policies  and  procedures,  only  a 
few  plans  described  the  controls  required  to  thoroughly  comply  with  federal  and  state  program  laws  and 
regulations  or  contained  adequate  documented  evidence  that  a  department-wide  risk  assessment  had  been 
conducted.  Most  of  these  departments  indicate  that  they  now  understand  that  the  concept  of  and  need  for 
internal  controls  must  involve  all  departmental  operations,  not  only  the  financial  operations. 

To  more  fully  comply  with  the  intent  and  spirit  of  Chapter  647  and  to  develop  adequate  internal  control  plans 
at  all  departments  of  the  Commonwealth,  many  departments,  groups,  and  individuals  must  be  involved.  The 
education  process,  including  departmental  awareness  of  the  importance  of  internal  controls  and  internal 
control  plans,  and  the  development  of  internal  control  plans  should  be  continued.  The  following 
recommendations  may  serve  to  assist  in  furthering  the  full  implementation  and  acceptance  of  internal  controls 
in  the  Commonwealth: 

Senior  management  must  continue  to  pay  attention  to  the  subject.  The  Secretary  for  Administration  and 
Finance,  as  well  as  the  Comptroller,  should  emphasize  the  importance  of  internal  controls  and  internal  control 
plans  with  department  heads,  senior  managers  and  internal  control  officers  and  include  discussions  on  internal 
controls  in  any  new  statewide  initiatives  as  was  done  with  the  Managing  for  Results  Initiative  ("MRI"); 

Secretariat  and  departmental  management  must  consider  internal  controls  to  be  an  integral  part  of  department 
operations  and  require  the  internal  control  plan  as  a  key  component  of  department-wide  operations; 

The  OSC  should  continue  to  educate  both  department  programmatic  and  fiscal  staff  about  the  role  and 
function  of  the  internal  control  plan,  as  was  done  most  recently  at  the  Risk  Assessment  Seminar;  and 

The  OSC  and  the  Office  of  the  State  Auditor  should  evaluate  the  need  to  amend  Chapter  647  to  re-emphasize 
and  re-energize  the  internal  control  focus.  Senior  management  needs  to  ensure  that  internal  control  officers 
are  always  at  the  senior  level  required  by  Chapter  647  in  order  to  effect  changes  in  programmatic  controls. 

Higher  Education  Shared  Services  Center 

The  Commonwealth  should  evaluate  whether  a  higher  education  shared  ser/ices  center  would  improve  the 
efficiency  and  accountability  of  the  accounting  and  student  financial  aid  operations  of  the  'ommunity  and 
small  state  colleges.  A  secondary  goal  would  be  to  use  the  shared  services  center  to  reduce  the  operating 
costs  of  nonacademic  functions.  The  recent  problems  encountered  at  Roxbury  Community  College, 
combined  with  the  turnover  experienced  by  other  institutions,  indicate  the  need  to  challenge  the  current 
approach  to  providing  the  "back  room"  operations  of  the  state's  higher  education  system. 

The  use  of  a  shared  services  center  is  one  approach  to  improving  the  accounting  and  student  financial  aid 
operations  of  many  of  the  smaller  institutions  of  higher  education.  A  shared  services  center,  whether  run  by  a 
governmental  entity  or  outsourced  to  a  private  entity,  could  provide  the  following  benefits: 

1 .  The  ability  to  keep  pace  with  ever-changing  technology 

2.  Flexibility  and  scalability 

3.  The  foundation  for  Internet-based  e-business/e-government 

4.  The  ability  to  enhance  responsiveness  and  customer  satisfaction 

5.  Best  business  processes  and  practices 

6.  The  ability  to  attract  and  retain  good  people 

7.  Optimizing  the  allocation  of  existing  resources 

8.  Cost  savings  and  cost  control 

9.  Better  information  for  management  decision  making 

10.  Continuous  improvement  with  new  ideas  and  service  offerings 
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Various  governmental  entities  have  begun  to  use  shared  services  centers  or  similar  concepts  (see  June  2001 
issue  of  Government  Finance  Review).  In  addition,  the  Apollo  Group  (University  of  Phoenix)  has  used 
outsourced  providers  to  service  both  its  accounting  and  student  financial  assistance  functions. 

In  considering  whether  to  move  to  a  shared  services  concept,  the  Commonwealth  should  perform  the 
following  steps: 

Complete  a  business  process  diagnostic  evaluation  at  a  number  of  institutions 

Prepare  a  requirements  definition  of  core  financial  functions 

Obtain  buy-in  from  upper  management  and  user  institutions 

Develop  documentation  deliverables 

Perform  a  best  practices  review  of  current  operations  and  new  technology 

Research  the  cost  of  communication  links  to  the  shared  services  center 
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OFFICE  OF  THE  COMPTROLLER 
Fixed  Assets 

There  is  a  need  for  the  continued  improvement  in  the  recording  of  fixed  assets.  The  Massachusetts 
Management  Accounting  and  Reporting  System  ("MMARS")  Fixed  Asset  Subsystem  User  Guide  requires 
"assets  valued  at  $15,000  or  more  to  be... recorded  onto  the  system  within  seven  (7)  days  of  acquisition... to 
properly  account  for  and  record  those  items  owned  by  the  Commonwealth... and  to  allow  them  to  be 
incorporated  into  the  Commonwealth's  Annual  Comprehensive  Financial  Report  ("CAFR")..."  The 
requirement  is  designed  to  ensure  that  fixed  assets  are  recorded  in  an  appropriate  and  timely  manner. 

MMARS  Memo  #290,  released  on  July  9,  1999,  reiterated  the  above  facts.  The  Fixed  Asset  Subsystem  User 
Guide,  published  in  May  2000,  has  a  section  that  reiterated  the  7-day  policy.  All  departments  have  received 
this  guide,  and  it  has  been  posted  on  the  OSC  website.  During  the  course  of  the  audit,  it  was  noted  that  two 
departments  (Department  of  Public  Health  and  Department  of  Elder  Affairs)  and  one  college  (Massasoit 
Community  College)  did  not  adhere  to  the  policy.  In  each  case,  fixed  assets  acquired  in  prior  years  were  not 
reported  until  fiscal  year  2001.  The  violations  primarily  resulted  from  a  lack  of  knowledge  of  the  "Seven  Day 
Rule"  by  the  department  and  the  college's  personnel.  The  effect  of  not  recording  assets  timely  and  correctly 
is  to  understate  the  fixed  assets  on  MMARS  and,  consequently,  in  the  Commonwealth's  financial  statements. 

As  part  of  its  upcoming  fiscal  year  2002  Chief  Fiscal  Officer  Conference,  the  OSC  should  continue  to 
emphasize  the  need  to  comply  with  the  "Seven  Day  Rule"  so  that  the  Commonwealth's  financial  statements 
are  accurate  and  reliable.  The  OSC  should  also  emphasize  that  this  requirement  be  included  in  the 
departmental  internal  control  plans. 

"GAAP  Packages" 

All  departments  are  required  by  the  Commonwealth  to  submit  a  "GAAP  Package"  to  the  Financial 
Accounting  and  Reporting  Bureau  ("FRAB")  of  the  OSC.  The  purpose  is  to  properly  accumulate  the 
information  needed  to  report  the  Commonwealth's  financial  condition  under  accounting  principles  generally 
accepted  in  the  United  States  of  America  ("GAAP")  in  accordance  with  the  standards  promulgated  by  the 
Government  Accounting  Standards  Board.  The  OSC  distributes  instructions  to  all  department"  detailing  the 
information  needed  including  accruals  for  receivables,  leases  and  other  balances. 

The  OSC  set  August  10,  2001  as  the  submission  deadline  for  the  GAAP  Packages.  Forty-six  priority  III 
departments  failed  to  submit  a  GAAP  Package  for  fiscal  year  2001.  Many  of  these  departments  also  failed  to 
file  GAAP  packages  in  prior  years  as  well.  This  forces  the  FRAB  to  make  certain  estimates  and  assumptions 
(concerning  payroll,  number  of  employees,  etc.)  in  order  to  prepare  statements.  Although  these  priority  III 
departments  are  immaterial,  individually  and  in  the  aggregate,  the  amounts  should  be  reported  to  provide  an 
accurate  financial  picture. 

The  OSC  should  continue  to  communicate  the  need  to  prepare  this  package  in  a  timely  manner  with  chief 
fiscal  officers  in  upcoming  meetings. 
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INFORMATION  TECHNOLOGY  DIVISION 

Documentation  of  Backup  and  Data  Retention  Guidelines  Needs  Improvement 

The  Massachusetts  Information  Technology  Center  ("MITC")  needs  to  document  data  retention  guidance  for 
the  agencies  it  supports.  The  MITC  data  center  houses  and  supports  the  information  resources  for  several 
agencies.  The  backup  policies  regarding  those  resources  are  dictated  by  the  individual  agencies.  Although 
there  exists  a  standardized  backup  process,  it  has  not  been  documented.  In  addition,  there  exists  no 
documentation  on  data  retention  guidance.  Agreed-upon  procedures  have  not  been  developed  and 
acknowledged  by  the  Information  Technology  Division  ("ITD")  or  the  agencies  it  supports. 

The  procedures  and  actions  followed  by  computer  operators,  which  include  processing  production 
applications  and  their  backups,  have  an  impact  on  information  integrity.  It  is  essential  that  all  such  actions  are 
planned  and  clear  instructions  are  developed  and  followed  for  their  implementation.  Without  such  formal 
documentation,  management's  intentions  regarding  backup  procedures  and  data  retention  may  not  be  clearly 
understood  throughout  the  organization.  If  backups  and  retention  policies,  procedures,  standards,  and 
guidance  are  not  followed,  the  agencies,  and  the  organization  at  large,  risk  the  unavailability  of  data  and 
storage  media,  non-compliance  with  the  legal  requirements,  and  inefficient  use  of  resources. 

We  recommend  the  Commonwealth  formulate  a  single  set  of  guidelines  that  addresses  all  aspects  of  backups 
and  retention  of  data  and  resources.  These  guidelines  should  be  issued  and  enforced  at  all  agencies  that  rely 
on  the  MITC  for  their  data  and  resource  administration.  This  process  will  also  help  ensure  maintainability 
and  education  for  all  other  users  of  the  system.  Backup  and  retention  guidelines  may  include  documentation 
regarding  the  following: 

Definition  of  systems  criticality,  downtime  tolerance,  etc. 

Process  to  define  the  relevant  data  for  which  the  retention  is  required  by  law 

Data  category  definitions  and  associated  required  retention  periods 

Process  to  create  and  label  backups 

Inventory  of  retained  records  in  any  centralized  media  library 

Process  to  research  changes  in  laws  and  regulations  which  affect  retention  periods 

Procedures  for  implementing/updating  relevant  parameters  for  an  automated  data  retention  tool  to 
guarantee  that  all  defined  data  are  stored 

Process  to  delete  expired  data 

Communication  of  the  backup  and  retention  policy  to  all  users 

Timely  Deletion  of  Terminated  Employees 

The  ITD  does  not  receive  a  regular  listing  of  terminated  employees  from  the  various  agencies  that  have  access 
to  RACF.  The  ITD  performs  a  monthly  sweep  of  the  user  database  and  matches  RACF  to  HR/CMS.  Profiles 
existing  in  RACF,  to  which  no  match  is  found  in  HR/CMS,  are  deleted.  However,  this  process  is  more 
reactive  than  proactive.  A  terminated  employee's  access  may  potentially  remain  live  until  the  next  monthly 
sweep  occurs. 
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Lack  of  standard  procedures  to  administer  user  access  related  to  adds,  changes  and  terminations  increases  the 
risk  of  unauthorized  system  access.  Active  administration  of  information  systems  security  is  important  to 
ensure  that  security  policies  and  procedures  are  consistently  applied  across  the  organization,  especially  over 
time  and  during  instances  of  employee  turnover.  The  lack  of  standard  procedures  may  contribute  to  higher 
levels  of  administration  and  overhead  costs,  inefficiencies  and  potential  security  exposures.  Access  privileges 
should  be  established  effectively  in  order  to  ensure  data  integrity  and  confidentiality,  and  that  availability  is 
not  compromised  through  intentional  or  unintentional  errors. 

Access  paths  are  the  logical  routes  of  access  to  systems  and  data.  In  a  multi -systems  environment,  such  as 
the  Commonwealth,  there  are  multiple  access  paths  to  data  (for  example,  through  operating  system  utilities, 
database  facilities,  and  application  software).  It  is  essential  to  evaluate  systems'  access  privileges  granted  to 
employees  on  a  regular  basis. 

We  recommend  the  development  of  a  more  effective  process  to  ensure  that  terminated  employee  access  is 
disabled  in  a  timely  manner  (i.e.,  immediately  upon  termination).  A  process  should  be  put  in  place  to  obtain 
daily  reports  of  terminated  employees  from  the  Human  Resources  Division  (HRD)  as  well  as  HR  departments 
at  other  agencies.  HR  departments  at  all  agencies  not  only  need  to  be  aware  of  all  terminations  before  they 
happen,  but  need  to  report  these  deletions  to  the  ITD  group  immediately,  so  these  users  can  be  removed  from 
the  system  in  a  timely  manner.  Additionally,  ITD  may  consider  increasing  the  frequency  of  reviewing  system 
access  privileges,  through  a  match  of  HR/CMS  and  RACF. 

Incident  Response  Procedures  for  Security  Violations  Should  be  Clearly  Defined 

The  ITD  does  not  have  a  clearly  defined  set  of  procedures  to  handle  security  violations.  The  ITD  performs 
regular  security  monitoring  by  reviewing  the  daily  Internet  Security  Systems  Real  Secure  intrusion  detection 
logs.  Also,  alarms  have  been  set  up  to  notify  security  personnel  of  high  security  violations.  However,  the 
ITD  does  not  have  a  formalized  methodology  for  handling  such  violations  at  this  point.  Although  certain 
informal  procedures  have  evolved  over  time,  a  standardized  set  of  incident  response  procedures  or 
comprehensive  checklists  have  not  been  developed  to  determine  the  steps  that  should  be  taken  in  the  event  of 
a  security  violation. 

Incident  response  procedures  ensure  that  all  security  breaches  are  handled  properly  before  serious  damage  can 
be  done  to  systems.  Without  a  clearly  defined  set  of  procedures  to  handle  security  violation  incidents,  there 
is  a  risk  that  security  breaches  may  not  be  handled  properly  and  serious  damage  may  be  caused  to  critical 
systems. 

We  recommend  the  formulation  and  deployment  of  a  standardized  set  of  incident  response  procedures  that 
addresses  all  aspects  of  security  violations  from  initial  detection  to  resolution  of  the  incident.  A  standardized 
set  of  incident  procedures  will  ensure  that  regardless  of  when  the  breach  occurs  or  who  is  available  to  address 
the  incident,  it  will  be  handled  quickly  and  correctly  before  any  damage  can  occur.  At  a  minimum,  incident 
response  procedures  should  consist  of  four  steps: 

•  Identification  and  categorization 

•  Escalation  and  notification 

•  Containment,  eradication  and  recovery 

•  Post-incident  follow-up 

•  Development  of  these  procedures  should  be  coupled  with  periodic  training  to  ensure  that  all  security 
personnel  are  prepared  to  handle  an  actual  security  violation  and  that  they  know  who  to  contact,  how  to 
resolve,  etc. 
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Data  Transmitted  Across  External  Networks  Should  be  Protected 

The  ITD  is  considering  using  encryption  mechanisms  from  a  data  classification  perspective.  However, 
currently  there  is  no  encryption  on  data  transmitted  across  external  networks.  The  Commonwealth  of 
Massachusetts  needs  to  revisit  its  existing  systems  infrastructure.  Based  on  the  infrastructure  requirements,  it 
may  need  to  evaluate  various  means  of  protecting  sensitive  data. 

In  the  electronic  age,  information  confidentiality  and  privacy  often  require  that  extensive  security  measures  be 
put  into  place.  When  transmitting  data  across  external  networks  such  as  the  Internet,  all  sensitive  data,  such 
as  information  about  an  individual's  health  or  human  service  needs,  should  be  protected.  Encryption  is  a 
fundamental  security  mechanism  for  protecting  data.  If  sensitive  data  is  not  encrypted,  an  individual  with 
malicious  intent  or  other  interest,  who  has  access  to  the  Internet,  can  capture  information  exchanged  on  the 
Internet  as  readable  text,  which  leaves  an  organization  susceptible.  Encryption  adds  an  additional  layer  of 
security  that  makes  it  more  difficult  for  unauthorized  individuals  to  capture  information  transmitted  over 
external  networks  and  helps  ensure  the  privacy  of  confidential  information.  This  issue  is  gaining  importance 
because  of  new  regulations  over  security  and  privacy,  such  as  the  Health  Industry  Portability  and 
Accountability  Act. 

With  the  proliferation  of  digital  communications,  it  is  essential  to  implement  increased  security  and  privacy 
measures.  Given  the  complexity  of  the  Commonwealth's  information  systems,  many  of  which  reside  on 
different  platforms  and  don't  easily  lend  themselves  to  encryption  or  other  data  protection  mechanisms,  we 
recommend  that  the  Commonwealth  of  Massachusetts  revisit  its  systems  infrastructure  and  review  existing 
industry  standards  and  the  costs  involved  to  ensure  that  all  sensitive  data  that  is  transmitted  across  its  external 
networks  is  protected.  We  understand  that  it  is  currently  evaluating  various  means  of  performing  data 
security,  such  as  digital  signatures,  PKI,  etc.,  and  we  encourage  the  Commonwealth  to  continue  to  make  this  a 
priority. 

Testing  Procedures  for  Systems  Software  Changes  are  not  Documented 

The  objective  of  testing  any  change  is  to  ascertain  the  effectiveness  of  internal  controls  designed  to  help  to 
ensure  that  new  or  modified  systems  software  is  reliable,  accurate,  and  meets  functional  requirements. 
Selection  of  inappropriate  systems  software  may  result  in  increased  system  downtime  and/c  difficulty  in 
integrating  the  various  systems  software  packages  and  computerized  application  systems.  At  this  time,  ITD 
does  not  maintain  documented  testing  procedures  for  systems-software-related  changes.  Although  every 
product  would  require  a  different  kind  for  testing,  management  may  consider  developing  a  basic  outline  of 
procedures  to  be  followed.  Also,  testing  of  any  new  product  or  changes  to  existing  systems  software  products 
should  be  documented. 

Without  procedures  to  test  new  products  or  changes  to  existing  products,  inappropriate  or  ineffective  changes 
could  be  moved  to  production  and  affect  multiple  users.  Any  change  to  the  systems  software,  data 
architecture  or  network  configuration  will  impact  the  organization  and  can  cause  disruptions  in  normal 
operations. 


-  17- 


In  order  to  minimize  disruption  in  normal  operations,  detailed  testing  procedures  need  to  be  documented  to 
help  ensure  maintainability  and  education  for  all  other  users  of  the  system.  At  a  minimum,  testing  procedures 
should  include  information  about  the  following: 

•  What  types  of  testing  will  be  performed  (e.g.,  system  and  unit  testing;  interface,  parallel  and  capacity 
testing;  user  acceptance  testing)? 

•  When  will  the  test  be  performed? 

•  How  will  the  test  be  generated? 

•  Who  will  perform  the  different  types  of  tests,  and  who  will  approve  the  results  and  adequacy  of  such 
tests? 
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OFFICE  OF  THE  STATE  TREASURER 

Cash  Management  System 

Treasury  staff  and  consultants  developed  the  current  cash  management  system  in  1991.  While  it  has  been 
modified  since  1991,  the  system  has  been  lacking  in  meeting  the  needs  of  the  Treasurer's  Office.  Treasury 
management  has  employed  consultants  to  review  the  overall  functionality  of  the  current  system  and  make  a 
determination  as  to  whether  modifications  to  the  existing  system  or  the  purchase  of  a  new  system  represents 
the  most  effective  long-term  solution  to  eliminate  the  current  system  limitations.  Based  on  those 
recommendations,  the  Treasury  has  installed  a  new  investment  software  system  and  is  in  the  process  of 
completing  the  set-up  of  the  interface  to  the  MMARS  system.  The  existing  business  practices  should  be 
examined  to  satisfy  the  accounting  requirements,  daily  cash  management  and  cash  flow  projections. 
Implementation  of  the  new  system,  along  with  the  requisite  business  practice  revisions  and  associated 
training,  will  result  in  less  reconciling  of  items,  improved  control  over  the  process,  and  better  cash 
management. 

Cash  Management  Staffing 

The  duties  of  the  Cash  Management  Department  within  the  Office  of  the  State  Treasurer  have  been  redefined 
under  the  current  administration.  For  instance,  internal  control  oversight  is  now  the  responsibility  of  an 
internal  control  auditor  who  reports  directly  to  the  First  Deputy  and  the  Treasurer.  The  unpaid  check  fund, 
claims  validation,  claims  processing  and  payment  have  been  segregated  and  integrated  with  the  state 
accounting  system.  The  Account  Reconciliation  Division  is  now  staffed  by  four  individuals.  These  changes 
within  the  Cash  Management  Department  have  been  accomplished  through  the  addition  of  new  staff.  The 
relative  newness  of  the  staff,  however,  could  become  a  concern  without  the  maintenance  of  strong  supervisory 
roles  to  guide  this  development  in  the  event  that  there  is  a  change  in  senior  management. 

The  daily  operations  of  the  Cash  Management  Department  are  highly  dependent  on  the  expertise  of  one 
individual.  The  loss  of  this  individual's  experience  and  expertise  could  potentially  have  an  adverse  effect  on 
the  Treasurer's  cash  management  operations. 

The  creation  of  an  additional  supervisory  position  should  be  considered.  This  position  should  be  staffed  with 
a  qualified  individual  with  a  background  in  accounting  and  adequate  management  experience.  This  individual 
would  be  responsible  for  managing  and  supervising  the  staff  function  as  second-in-command  to  the  Deputy 
Treasurer. 

Long-Term  Debt  Information 

The  preparation  of  long-term  debt  information  is  labor  intensive  and  controlled  by  a  single  employee  in  the 
Treasurer's  Office.  As  a  result  of  other  activities  that  this  employee  must  perform,  information  necessary  to 
update  the  Comptroller's  records  and  prepare  financial  statements  is  often  delayed  until  after  the  end  of  the 
fiscal  year. 

Though  improvements  have  been  made  in  this  process,  delays  were  still  experienced  in  the  preparation  of 
debt-related  information.  Management  should  review  the  procedures  used  to  prepare  the  long-term  debt 
information.  Consideration  should  be  given  to  development  of  a  transaction-closing  checklist  to  identify  all 
the  steps  that  need  to  be  completed  before  a  bond  sale  is  considered  final.  The  checklist  should  include 
information  necessary  for  the  preparation  of  financial  statements.  When  third  parties  provide  information, 
procedures  should  be  put  in  place  to  accumulate  the  data  within  a  specified  time  limit  after  the  close  of  the 
transaction. 
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Management  should  also  consider  developing  a  training  program  to  expand  the  depth  of  understanding  within 
the  department  to  ensure  continuity  in  the  event  that  the  individual  currently  assigned  to  perform  certain  tasks 
retires  or  transfers  to  another  function. 

Tangible  Property  Office 

Abandoned  property  turned  over  to  the  Commonwealth  of  Massachusetts  includes  physical  assets  submitted 
by  "holders"  such  as  hospitals,  prisons,  mutual  fund  companies,  insurance  companies  and  banks.  Under 
Massachusetts  General  Laws  Chapter  200A,  abandoned  property  is  required  to  be  submitted  to  the  Office  of 
the  State  Treasurer,  after  a  statutorily  determined  period  of  time,  along  with  the  names  and  addresses  of  the 
rightful  owners.  For  example,  in  the  case  of  abandoned  bank  assets  (such  as  personal  safe  deposit  boxes), 
these  assets  are  required  to  be  submitted  when  the  property  has  not  been  claimed  for  seven  years.  Once 
submitted,  the  assets  are  stored  and  secured  by  the  Tangible  Property  Office  within  the  Abandoned  Property 
Division.  Assets  remain  in  the  Tangible  Property  Office  until  they  are  either  claimed  by  the  rightful  owners 
or  liquidated  through  an  auction  conducted  by  the  Abandoned  Property  Division. 

Two  individuals  run  the  Tangible  Property  Office,  and  they  have  responsibility  and  control  over  the  assets 
submitted.  These  are  the  only  individuals  allowed  to  take  possession  of  the  assets  and  who  know  the  alarm 
code  to  gain  access  to  the  assets.  They  are  also  responsible  for  recording  the  assets  into  the  system  database, 
for  advertising  the  receipt  of  the  goods  in  order  to  return  them  to  their  rightful  owners,  and  for  having 
property  appraised  in  order  to  auction. 

In  addition,  inventory  counts  are  not  conducted  or  observed  by  anyone  outside  of  the  Tangible  Property 
Office.  Overall,  these  factors  combine  to  create  a  risk  that  physical  assets  submitted  to  the  office,  in 
accordance  with  the  Abandoned  Property  Laws  of  the  Commonwealth,  may  not  be  handled  properly  and  that 
such  actions  have  the  potential  of  not  being  identified  by  management  in  the  normal  course  of  operations. 
Otherwise  there  is  no  way  of  reconciling  what  was  sent  with  what  was  received  by  the  Tangible  Property 
Office. 

Additionally,  abandoned  property  mailed  by  holders  is  often  mailed  to  the  Abandoned  Property  Division, 
rather  than  the  Tangible  Property  Office.  The  Abandoned  Property  Division  cierk  opens  the  packages  and 
transfers  the  assets  to  the  Tangible  Property  Office.  This  increases  the  risk  that  assets  would  not  be 
appropriately  handled  prior  to  being  delivered  to  the  Tangible  Property  Office. 

Holders  should  be  instructed  to  send  all  physical  assets  directly  to  the  Tangible  Property  Office,  and  no  other 
employee  or  department  should  be  authorized  to  open  or  accept  the  package.  The  holders  should  also  be 
required  to  include  a  master  list  of  the  number  of  bags  sent  and  the  names  of  the  rightful  owners  of  the 
abandoned  property  so  that  a  reconciliation  can  be  performed  between  what  the  bank  sent  and  what  the  office 
received.  After  the  contents  have  been  reviewed,  the  Tangible  Property  Office  should  send  a  written 
confirmation  back  to  the  holder  confirming  receipt  of  the  property. 

We  recommend  that  Treasury  management  review  the  separation  of  duties  and  segregate  the  custody  and  the 
recording  of  the  assets.  Someone  independent  of  the  individual  who  records  and  receives  the  assets  should 
retain  the  master  and  detailed  inventory  lists.  This  independent  person  should  reconcile  the  list  with  the  items 
recorded  into  the  database  by  the  Tangible  Property  Office  employees. 

Management  should  also  periodically  conduct  random  inventory  test  counts.  Management  should  select  items 
from  the  independent  list  submitted  by  the  holders  and  trace  the  selected  item  to  the  physical  asset  secured  in 
the  room  to  ensure  that  it  has  been  given  an  identification  number  and  that  it  has  been  properly  recorded  in  the 
database  with  an  accurate  description. 
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Internal  Audit  Function 

In  1999,  the  internal  audit  function  was  created  for  the  purpose  of  documenting  a  formal  internal  control  plan 
in  compliance  with  Chapter  647  of  the  Acts  of  1989.  Prior  to  1999,  the  Treasury  had  no  internal  audit 
function  and  had  not  submitted  an  internal  control  plan.  An  internal  auditor  was  hired  in  June  of  1999.  In 
fiscal  year  2000,  the  new  Treasurer  submitted  and  received  approval  on  its  first  comprehensive  internal 
control  plan.  The  internal  control  plan  is  an  evolving  document  and  is  updated  whenever  there  are  any 
changes  in  business  operations  at  the  Treasury.  When  these  changes  do  occur,  internal  audit  is  responsible  for 
documenting  the  new  process,  identifying  the  new  controls,  and  conducting  a  risk  assessment.  Throughout 
the  year,  when  new  operating  procedures  and  policies  need  to  be  established,  the  internal  auditor  is  involved 
from  the  beginning  of  the  process  to  its  completion,  acting  in  a  coordinated  effort  with  departments  to 
improve  the  control  environment.  Presently,  the  Internal  Audit  Department  consists  of  one  individual.  While 
this  individual  has  extensive  knowledge  of  the  operations  of  every  department  within  the  Treasury,  along  with 
a  well-documented,  detailed  internal  control  plan,  it  may  be  time  for  a  transition  in  the  focus  of  the  internal 
audit  function. 

The  internal  control  plan  describes  the  operations  of  each  department  and  details  the  controls  that  exist.  The 
internal  audit  function  should  consider  shifting  its  focus  to  testing  the  controls  that  are  in  place  and 
determining  the  effectiveness  of  the  controls.  While  ongoing  monitoring  controls  are  in  place  and  risks 
assessments  are  conducted,  it  may  now  be  appropriate  to  adjust  the  focus  of  the  Internal  Audit  Department's 
efforts  and  conduct  more  formalized  testing  of  existing  controls.  Expansion  within  the  internal  audit  function 
should  be  considered  so  that  an  appropriate  level  of  staffing  exists  to  implement  testing  procedures  sufficient 
to  obtain  assurance  that  each  department  is  functioning  at  its  maximum  potential. 

Now  that  a  plan  exists  and  controls  are  in  place,  an  annual  schedule  should  be  developed  that  includes  a  plan 
to  test  the  documented  controls  to  ensure  that  they  are  working  effectively  and  are  being  applied  consistent 
with  the  intentions  of  management.  The  results  of  the  tests  should  be  reported  to  management,  and  any 
deficiencies  should  be  brought  to  their  attention  with  a  suggestion  for  corrective  action.  In  addition  to  testing 
control  procedures,  the  internal  audit  function  should  serve  as  a  vehicle  for  examining  the  current  operations 
of  a  department  and  searching  for  areas  where  improvements  can  be  identified.  The  internal  audit  function 
should  work  with  each  department  and  strive  to  improve  daily  operations  and  achieve  the  departments' 
missions  and  goals. 
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OFFICE  OF  THE  ATTORNEY  GENERAL 

Additional  Tracking  Required  for  Settled  Yet  Unpaid  Legal  Cases 

The  Office  of  the  Attorney  General  ("AGO")  is  responsible  for  tracking  and  reporting  on  lawsuits  pending  or 
threatened  against  the  Commonwealth.  The  Financial  Reporting  and  Analysis  Bureau  ("FRAB")  in  the  OSC 
has  been  working  with  the  AGO,  along  with  the  Commonwealth's  auditors,  to  enhance  its  tracking  and 
reporting  system. 

A  number  of  lawsuits  arising  from  the  ordinary  course  of  operations  are  pending  or  threatened  against  the 
Commonwealth.  For  those  cases  in  which  a  probable  loss  will  be  incurred  and  the  amount  of  the  potential 
judgment  can  be  reasonably  estimated,  the  AGO  estimates  the  liability.  The  current  portion  of  this  liability  is 
reported  in  the  appropriate  governmental  funds,  and  the  long-term  portion  is  recorded  in  the  General  Long- 
Term  Debt  Account  Group.  This  information  is  communicated  to  the  FRAB  annually  during  the  preparation 
of  the  Statutory  Basis  Financial  Report  and  the  Comprehensive  Annual  Financial  Report.  In  addition,  the 
AGO  confirms  the  cases  that  were  outstanding  in  the  prior  year  but  which  have  since  been  settled.  The  AGO, 
however,  is  unable  to  confirm  whether  the  amount  of  settlement  or  judgment  has  been  paid  prior  to  year  end. 

Procedures  do  not  currently  exist  to  either  link  the  AGO  information  to  the  accounting  records  or  to  track 
payments  and  rebates  or  abatements  made  by  the  Department  of  Revenue  in  order  to  determine  whether  a 
liability  exists  at  year  end  for  legal  cases  settled  but  not  yet  paid.  In  the  absence  of  such  tracking  procedures, 
adjustments  to  the  General  Fund  and  the  General  Long-Term  Debt  Account  Group  in  amounts  equal  to  $27 
million  and  $113  million,  respectively,  were  required  for  fiscal  year  2001. 

The  AGO  and  the  FRAB  should  work  together  to  develop  procedures  and  controls  to  correct  this  system.  This 
system  should  include  the  preparation  of  a  comprehensive  rollforward  of  all  cases  on  a  quarterly  or  semiannual 
basis.  The  AGO  should  continue  to  work  with  the  FRAB  to  develop  and  document  additional  procedures  for 
tracking  such  settled  cases  to  avoid  any  future  possible  misstatement  in  the  financial  statements.  The  FRAB 
should  also  develop  procedures  to  determine  major  payments  that  have  been  provided  for  by  legislation  to 
corroborate  many  of  the  large-dollar,  monetary  damage  suits  and  continue  to  track  all  cases  until  they  are 
actually  paid. 

Check  Reconciliation 

The  Public  Charity  Division  ("PC")  of  the  AGO  is  responsible  for  collecting  and  processing  informational 
returns  and  the  related  filing  fees  from  nonprofit  organizations. 

When  the  returns  and  checks  are  received  at  the  PC,  the  checks  are  batched  based  on  the  AGO's  sliding  fee 
scale,  e.g.,  the  $50  checks  are  batched,  the  $30  checks  are  batched,  etc.  The  total  number  of  checks  in  each 
batch  is  entered  into  an  Excel  spreadsheet,  and  the  total  dollar  value  of  each  batch  is  calculated.  A  tape  with 
the  total  value  of  all  the  batches  is  sent  to  the  AGO's  Finance  Department.  Personnel  in  the  Finance 
Department  recount  the  checks  and  separate  them  into  smaller  batches  for  ease  of  deposit  and  then  compare 
the  deposit  slips  to  the  tape  sent  by  the  PC.  If  a  discrepancy  between  the  slips  and  the  tape  is  found,  the  PC  is 
notified  so  that  it  can  amend  its  records.  No  reconciliation  is  performed. 

Ten  transactions  were  selected  for  examination  and  comparison  -  5  from  the  Finance  Department's  records 
and  5  from  the  PC's  records.  Eight  of  the  ten  did  not  reconcile  without  further  investigation  because  neither 
party  kept  copies  of  the  checks  or  a  log. 

We  recommend  that  the  PC  maintain  a  log  of  checks  received  or  make  copies  of  the  checks.  The  log  or  the 
copies,  along  with  a  copy  of  the  Excel  spreadsheet,  should  be  maintained  in  the  PC.  The  original  checks  and 
the  Excel  spreadsheet  should  be  forwarded  to  the  Finance  Department.  Any  discrepancies  between  the  PC 
data  and  the  Finance  Department's  deposit  slips  should  be  reconciled  and  resolved  immediately. 
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MASSACHUSETTS  HIGHWAY  DEPARTMENT 

Need  to  Monitor  Payments  to  Construction  Contractors 

During  the  test  of  expenditures,  it  was  noted  that  the  Construction  Division  ("Division")  held  one  payment 
voucher  of  $103,221  for  goods  and  services  rendered  between  December  18,  1999  and  February  26,  2000  until 
fiscal  year  2001.  The  Division  dated  the  payment  voucher  ("PV")  March  13,  2000  and  changed  the  beginning 
and  ending  date  of  service  to  July  1,  2000.  The  PV  was  not  received  and  entered  by  the  Fiscal  Division  until 
November  17,  2000. 

The  department  should  ensure  that  the  Division  processes  all  payment  vouchers  in  a  timely  manner  to  ensure 
compliance  with  the  Commonwealth's  prompt  payment  act  and  the  costs  are  recorded  in  the  current  year. 

Significant  Increase  in  the  Backlog  of  Complete  Contract  Audits 

Over  the  past  five  years,  the  backlog  of  completed  contracts  awaiting  final  audit  has  steadily  increased.  When 
last  reported  in  1996,  Audit  Operations  had  a  backlog  of  245  completed  projects  which  were  greater  than  three 
years  old.  Currently,  there  are  873  completed  contracts,  totaling  $657  million,  greater  than  three  years  old. 
Although  additional  effort  was  obtained  through  the  use  of  independent  CPA  firms,  it  does  not  appear  that 
there  are  adequate  resources  to  complete  all  audits  before  the  end  of  the  seven-year,  record-retention 
requirement  for  consultants. 

The  department  should  consider  increasing  Audit  Operations  staff  and  further  supplementing  its  resources  by 
retaining  additional  independent  CPAs  until  the  backlog  is  reduced. 
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DEPARTMENT  OF  REVENUE/DIVISION  OF  CHILD  SUPPORT  ENFORCEMENT 

Preparation  of  Federal  Cash  Transactions  Report  Needs  to  be  Consolidated 

The  Department  of  Revenue/Division  of  Child  Support  ("Division")  needs  to  consolidate  into  one  department 
the  preparation  of  the  Status  of  Federal  Cash,  PMS-272  Report.  The  involvement  of  two  departments  is 
inefficient  and,  in  instances  where  there  is  a  lack  of  communication,  may  result  in  errors. 

The  PMS-272  is  a  quarterly  repoit  that  provides  total  accountability  of  all  federal  cash  received  by  the 
Division.  It  is  partially  prepared  by  the  Division  of  Payment  Management  ("DPM")  within  the  Department  of 
Health  and  Human  Services,  based  on  data  reported  to  DPM,  and  is  completed  and  certified  by  the  Division. 
Presently,  the  report  is  prepared  by  both  the  Finance  Unit  at  the  division  level  and  the  Budget  Unit  at  the 
department  level.  All  other  federal  reports  are  prepared  solely  by  the  Finance  Department  without 
involvement  from  the  Budget  Department. 

The  1st  quarterly  report  for  the  large  grant  was  prepared  and  submitted  by  the  Finance  Unit.  The  Budget 
Department,  believing  it  was  correcting  a  previous  error,  proceeded  to  submit  a  revised  version  of  this 
quarterly  report.  The  Finance  Unit  had  already  submitted  a  report  correcting  the  error,  so  it  then  had  to  adjust 
another  PMS  272  Report  so  that  the  reports  are  now  correct.  The  Division's  internal  controls  did  uncover 
these  errors;  however,  the  error  would  not  have  occurred  had  one  department  been  responsible  for  the 
production  of  the  report. 

In  addition,  a  review  of  the  3rd  quarter's  small  grant  report  disclosed  that  the  manual  version  was  originally 
submitted  unsigned.  Division  officials  explained  that  the  Commissioner  was  out  the  day  the  report  needed  to 
be  submitted,  it  was  late,  and  the  DPM  informed  the  Budget  Director  that  the  federal  government  was  going  to 
shut  down  the  draws  if  the  report  was  not  filed  that  evening.  The  Budget  Director  signed  the  report  to  submit 
it  as  quickly  as  possible.  The  Deputy  Commissioner  eventually  properly  reviewed  and  signed  the  report. 
However,  the  report  was  then  dated  July  10,  2001,  after  the  submittal  date  of  the  report. 

The  Division  should  assign  responsibility  for  preparing  and  submitting  the  PMS  272  Report  to  the  Finance 
Unit  -  the  Unit  which  prepares  and  submits  all  other  federal  reports  which,  when  reviewed,  were  accurate  and 
timely.  Such  action  will  help  ensure  that  the  PMS  272  Report  is  completed  and  submitted  in  a  timely  manner. 
In  addition,  the  report  should  be  submitted  for  review  only  to  the  authorized  division  reviewer  prior  to 
submittal  to  the  federal  government. 

Vacant  Positions  Need  to  be  Filled 

There  are  a  large  number  of  vacant  positions  within  the  Division.  The  Division  lost,  through  attrition,  a  total 
of  45  positions,  or  6%  of  its  staff,  in  fiscal  year  2001.  Legal  and  caseworker  staffing  levels  have  been  most 
significantly  affected  by  the  attrition;  however,  key  management  positions  have  been  lost  as  well.  A  few 
examples  of  vacant  management  positions  are  within  the  Finance  Unit  and  include:  the  Director,  Deputy 
Director,  and  Manager  of  the  Financial  Processing  Unit.  Significant  and  prolonged  understaffing  in  legal  and 
caseworker  positions  affects  the  Division's  ability  to  meet  federal  performance  standards  for  establishing  and 
enforcing  child  support  obligations  and  claiming  additional  federal  incentive  payments.  In  addition,  lack  of 
consistent  management  in  the  Finance  Unit  places  internal  control  protocols  at  risk  and  impairs  the  Division's 
ability  to  adequately  reconcile  its  accounts  and  ensure  that  the  work  is  being  done  properly. 

The  Commonwealth's  recent  hiring  freeze  may  impact  filling  these  vacancies.  Nonetheless,  the  Division 
should  focus  on  hiring  for  legal  and  caseworker  positions  as  well  as  a  strong  team  to  manage  its  Finance  Unit. 
Cross  training  of  individuals  would  also  help  alleviate  the  current  staffing  shortage. 
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COMPONENT  UNITS 

Component  Units  Need  to  be  More  Responsive  in  Submitting  Financial  Statement  Information 

While  there  has  been  a  significant  improvement  in  the  responsiveness  of  various  component  units  in 
submitting  financial  statements  to  the  Financial  Reporting  and  Analysis  Bureau  by  the  financial  reporting 
deadline,  several  of  the  component  units  again  failed  to  submit  their  final  audited  financial  statements  prior  to 
the  November  1,  2001  deadline  established  by  the  OSC.  This  resulted  in  several  late  adjustments  and  the  need 
to  adjust  disclosures  in  the  CAFR.  Continued  improvement  is  necessary  for  accurate  financial  reporting. 

The  OSC  provides  GAAP  reporting  requirements  and  guidelines  to  representatives  from  each  component  unit 
to  ease  the  financial  reporting  process.  For  2001,  the  OSC  suggested  a  uniform  set  of  accounting  policies  and 
financial  statement  disclosures  for  the  component  units.  This  helps  the  OSC  organize  information  for 
inclusion  in  the  Commonwealth's  financial  statements  and  helps  ensure  that  similar  accounts  across 
component  units  are  grouped  together  properly. 

Currently,  the  general  purpose  financial  statements  of  the  Commonwealth  include  thirty-three  component 
units.  Each  of  these  component  units  is  subjected  to  an  audit  and  is  required  to  report  its  financial  statements 
in  accordance  with  GAAP. 

The  OSC  should  continue  to  hold  group  and  individual  meetings  with  the  various  component  units  to 
encourage  an  "ownership  interest"  in  the  financial  statements  and  communicate  the  role  they  play  in  the 
preparation  of  the  Commonwealth's  financial  statements.  This  role  will  become  even  more  important  with  the 
implementation  of  GASB  Statements  34  and  37  in  fiscal  year  2002,  which  will  dramatically  change  the  format 
of  the  financial  statements.  Since  next  year's  financial  statements  will  be  more  complex  than  in  past  years,  it 
is  important  to  stress  timely  compliance.  Discussions  should  also  focus  on  the  disclosures  needed  in  the 
component  units'  financial  statements  in  order  to  meet  their  responsibility  to  comply  with  the  standards 
established  by  the  Government  Accounting  Standards  Board.  The  component  units  should  participate  in 
establishing  the  time  lines  under  which  they  provide  the  necessary  financial  statement  information  within  the 
broader  time  lines  established  by  the  OSC.  The  component  units  should  also  inform  their  independent  auditors 
of  the  importance  of  the  established  deadlines. 

Reporting  of  the  Commonwealth  and  Other  Entities 

For  financial  reporting  purposes,  the  Commonwealth  GAAP  financial  statements  include  all  funds, 
organizations,  account  groups,  agencies,  boards,  commissions  and  institutions  for  which  it  is  accountable  as 
required  by  GASB  Statement  No.  14,  "The  Financial  Reporting  Entity."  The  Commonwealth  has  also 
considered  all  potential  component  units  for  which  it  is  financially  accountable,  as  well  as  other  organizations 
for  which  the  nature  and  significance  of  their  relationships  with  the  Commonwealth  are  such  that  exclusion 
would  cause  the  Commonwealth's  financial  statements  to  be  misleading  or  incomplete  under  the  requirements 
of  GASB  Statement  No.  14.  Each  of  these  entities  should  apply  the  appropriate  basis  of  accounting  under 
GAAP.  While  various  options  exist  under  GAAP  for  the  appropriate  measurement  focus  and  basis  of 
accounting  to  be  used  by  certain  component  units,  there  should  be  consistency  for  similar  entities  within  the 
Commonwealth  and  agreement  on  the  accounting  for  transactions  and  other  activities  that  impact  both  the 
primary  government  and  the  component  units. 
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One  area  where  there  is  no  uniformity  of  accounting  is  the  Regional  Transit  Authorities  ("RTAs").  Of  the  15 
RTAs,  12  follow  proprietary  accounting  and  three  follow  governmental  accounting.  RTAs  are  generally 
considered  to  be  entities  that  should  follow  proprietary  fund  accounting.  Upon  implementation  of  GASB  34,  it 
is  planned  that  these  RTAs  will  transfer  to  business-type  accounting. 

All  discretely  presented  component  units  that  are  proprietary  should  report  using  a  flow  of  economic  resources 
measurement  focus  and  the  accrual  basis  of  accounting.  University  and  college  fund  activities  should  be 
reported  using  the  accrual  basis  of  accounting.  These  entities  should  adopt  uniform  accounting  standards  in 
accordance  with  GAAP  and  in  accordance  with  standards  established  by  the  Commonwealth  and  the  GASB. 
New  standards  issued  by  the  GASB  should  be  implemented  in  accordance  with  the  provisions  and  guidance 
provided  by  the  Commonwealth  and  the  GASB.  Symmetry  of  adopting  accounting  standards  among  the 
primary  government,  the  component  units,  and  institutions  of  higher  education  entities  will  greatly  assist  in 
accurate  and  timely  financial  reporting. 
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THE  MASSACHUSETTS  TEACHERS'  RETIREMENT  BOARD 

Need  for  Increased  Controls  Over  Submission  of  Teachers'  Retirement  Data  as  Reported  to  the 
Teachers'  Retirement  Board  ("TRB") 

In  order  to  accurately  track  teachers'  retirements,  the  Teachers'  Retirement  Board  ("TRB")  collects  data  from 
every  school  district  in  the  Commonwealth.  Chapter  32  of  the  Massachusetts  General  Laws  requires  that  the 
data  must  be  submitted  to  the  TRB  within  10  days  after  the  end  of  the  month.  This  data  includes  demographic 
information  (name,  address,  date  of  birth,  etc.),  information  regarding  the  individual  teachers'  retirements 
(contribution  rate,  contribution  amounts,  date  of  hire,  years  of  service,  etc.),  teachers'  contribution  information 
(percentage  of  salary  withheld,  total  dollars  withheld  for  the  pay  period,  etc.),  and  the  actual  amount  collected 
from  employee  contributions. 

In  the  past,  this  information  was  difficult  to  obtain  because  there  was  no  common  system  for  receiving  this 
data.  However,  in  1997,  the  TRB  developed  a  uniform  reporting  format  which  is  compatible  with  major 
commercial  payroll-reporting  software  packages  (such  as  ADP,  Munis,  etc.).  The  TRB  also  developed  and 
provided  a  reporting  software  package  currently  used  by  over  eighty  districts  and  charter  schools.  Every  year, 
the  TRB  holds  several  regional  employer  training  seminars  for  school  payroll  and  business  officials.  The  TRB 
staff  also  provide  onsite  training  for  newly  hired  school  payroll  officials  and  districts  having  reporting 
difficulties.  Despite  the  efforts  of  the  TRB,  certain  school  districts  within  the  Commonwealth  do  not  submit 
the  data  on  a  timely  basis  and  the  TRB  is  required  to  pursue  the  data  that  is  not  provided  by  the  school 
districts.  When  teachers  within  these  districts  are  ready  to  retire,  the  TRB  is  unable  to  process  the  retirement 
paperwork  because  the  records  are  incomplete.  This  results  in  retired  teachers  not  being  able  to  receive  their 
retirement  benefits  in  a  timely  manner.  In  addition,  when  the  districts  do  not  submit  retirement  contributions 
on  time,  the  teachers'  overall  benefits  will  suffer  since  the  TRB  is  unable  to  earn  investment  income  on 
contributions  that  they  have  not  yet  received. 

Under  Chapter  32,  Section  18,  Paragraph  1A,  "If  the  Board... determines... that  there  has  been  an  unreasonable 
delay  in  filing  of  any... required  information,  the  Board, ...shall  so  notify  in  writing  such  treasurer  or  other 
disbursing  officer.  If,  within  thirty  days  thereafter,  the  Board... has  not  received  such  required  information,  the 
Board... may  petition  the  superior  court  to  compel  compliance  with  this  section  and  enforce  the  (_  nalty  there 
under." 

In  order  to  remedy  the  current  situation,  the  Board  should  continue  to  notify  the  members  responsible  for 
reporting  the  districts'  information  and  remitting  the  appropriate  contributions.  If  the  latter  fails,  the  TRB 
should  use  the  option  of  petitioning  the  superior  court  to  enforce  compliance. 

The  Board  has  submitted  legislation  that  would  require  local  school  districts  to  submit  monthly  data  and 
contributions  on  a  more  timely  basis  or  be  subject  to  an  interest  penalty. 
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